[dns-operations] dns-operations Digest, Vol 92, Issue 13

Vernon Schryver vjs at rhyolite.com
Mon Sep 9 14:59:30 UTC 2013

> Now we (including me) have known the dangers and limitations,
> so should we set max-udp-size to 1220 on every authoritative servers?

Sometimes crazy conspiracy theories make too much sense.  Please
make up one of your own from some facts:

  - Some known major PKI failures were ostensibly in support of
      nation states.  Remember Comodo and DigiNotar

  - Nation states hate encryption and do whatever they can against
     it, from trying to outlaw it (e.g. pgp in the U.S.) to trying to
     legislate weak keys or backdoors in encryption systems
     (e.g. Clipper, also in the U.S.)

  - DANE and TLSA cannot offer perfect security (nothing can), but would
     significantly improve the PKI and complicate the work of government
     snoops and censors.

  - DANE and TLSA depend on DNSSEC.

  - http://www.postfix.org/TLS_README.html#client_tls_dane

  - a quick sample of DNSEC A answers finds them all larger than 1220 bytes

  - switching the DNS from UDP to TCP would fail because of TCP
     costs including 3 times as many packets, server state, and
     even time wait exhaustion

  - DNS reflection DoS attacks have been used as reasons for
     not supporting DNSSEC.

  - this new furor over a dubious DNS security issue is being used
     indirectly against DNSSEC

  - http://scoreboard.verisignlabs.com/

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list